Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-10-CANTO-FINDINGS-ISSUES-236
HistoryOct 06, 2023 - 12:00 a.m.

Manipulation of Overall Liquidity Calculation

2023-10-0600:00:00
Code4rena
github.com
2
liquiditymining
overalltimeweightedliquidity
rewardscalculation
mitigation
smartcontract
vulnerabilitymanipulation

AI Score

7.1

Confidence

Low

JSON

Lines of code

Vulnerability details

Impact

in this part in code : <https://github.com/code-423n4/2023-10-canto/blob/40edbe0c9558b478c84336aaad9b9626e5d99f34/canto_ambient/contracts/mixins/LiquidityMining.sol#L276C12-L290C2&gt; is handle the claiming of rewards for liquidity mining. It calculates rewards based on the liquidity provided by a user, their position, and certain parameters like ambRewardPerWeek_ and overallTimeWeightedLiquidity, the problem is in the calculation of rewardsForWeek ,If overallTimeWeightedLiquidity becomes zero or very small, it could lead to a division by zero or a negligible reward, allowing attackers to potentially claim more rewards than they deserve.
An attacker could manipulate the overallTimeWeightedLiquidity value or orchestrate transactions in such a way that this value becomes extremely low. This would result in an inflated rewardsForWeek, allowing the attacker to claim more rewards than they should.

Proof of Concept

  • attacker deploys a smart contract called MaliciousContract, which interacts with the liquidity mining contract.

  • the MaliciousContract, the attacker sets up a function that triggers the liquidity calculation in the target contract.

    contract MaliciousContract {
    LiquidityMining targetContract; // The target liquidity mining contract

    constructor(address _targetContract) {
    targetContract = LiquidityMining(_targetContract);
}

function triggerRewardCalculation(address _user) public {
    // Assume the attacker knows the user's position, pool, and week
    bytes32 poolIdx = ...;
    bytes32 posKey = ...;
    uint32 week = ...;

    // Manipulate overallTimeWeightedLiquidity to a very low value
    targetContract.setOverallTimeWeightedLiquidity(poolIdx, week, 1); // Set it to a very low value
    targetContract.claimAmbientRewards(_user, poolIdx, week); // Trigger the reward calculation
}

    }

  • The attacker deploys MaliciousContract and calls triggerRewardCalculation with the target user’s address and the relevant parameters.

  • The target liquidity mining contract calculates rewardsForWeek using the manipulated overallTimeWeightedLiquidity, resulting in a much higher reward value than expected.

Tools Used

manual review

Recommended Mitigation Steps

  • added a check to ensure that overallTimeWeightedLiquidity is greater than zero before calculating rewardsForWeek. If overallTimeWeightedLiquidity is zero or negative, the code can handle this situation

    // Check if overallTimeWeightedLiquidity is greater than zero before calculating rewards
    if (overallTimeWeightedLiquidity > 0) {
    uint256 rewardsForWeek = (timeWeightedWeeklyPositionAmbLiquidity_[poolIdx][posKey][week] * ambRewardPerWeek_[poolIdx][week]) / overallTimeWeightedLiquidity;
    rewardsToSend += rewardsForWeek;
    } else {
    // Handle the case where overallTimeWeightedLiquidity is zero or negative
    // You may want to revert the transaction, emit an error event, or take other appropriate actions.
    }

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

AI Score

7.1

Confidence

Low

JSON